Author Topic: Security flaw in gov site that allows SSN to be harvested (Read 990 times)

MrHigh · « **on:** September 14, 2014, 09:24:04 am »

My friend has this site that she is finished havesting data from and she wants to know how to go about it from here. She only harvested full names, SSN, and DOB.

1. She can report the error to the admins and give them their own PI just for the lulz. If she does this, she can no longer get additional info on people.

2. She can leave it open and risk other novice hackers find the flaw, which will make her data less valuable. However, she could get people's addresses and other info if needed.

3. She could contact local news crews, give them their own PI, explain how she got it, and she if they call the site out on the news.

What should she do?

MrHigh · « **Reply #1 on:** October 04, 2014, 07:18:51 pm »

Reported.

degenerate matter · « **Reply #2 on:** October 04, 2014, 07:43:19 pm »

The security community as a whole benefits from prompt disclosure of any bugs found, so the ethical thing to do is report the flaw to the sysadmin, then post a public description of how you accomplished the hack in order to help others avoid making the same configuration mistake.

iam · « **Reply #3 on:** October 04, 2014, 07:49:23 pm »

'she'

didn't know sluts have computers in the kitchen

Tokolosh · « **Reply #4 on:** October 04, 2014, 10:16:12 pm »

Quote from: MrHigh on October 04, 2014, 07:18:51 pm

Reported.

Whitehat pussy

Quote from: iam on October 04, 2014, 07:49:23 pm

'she'

didn't know sluts have computers in the kitchen

I'm sure microwaves have ethernet ports nowadays. Something about Radioactive Broadband for the best Jacket potato internet experience.

komokazi · « **Reply #5 on:** October 05, 2014, 12:05:37 am »

The value of the goods will not be affected by simply one site's security configuration. Also, OP most likely just works somewhere and stole the information.

MrHigh · « **Reply #6 on:** October 07, 2014, 06:10:18 pm »

Quote from: Tokolosh on October 04, 2014, 10:16:12 pm

Whitehat pussy

I only reported it because I have already harvested all of the current SSN in it.

They have fix it, for the most part. I can still get into other user's accounts, but I cant view the SSN and other personal information.

Lets pretend like this is a couple that end in 1234...

Scott J Betterly
04/28/1971
542-04-1234

Darren F Rainey
03/16/1973
565-89-1234

MrHigh · « **Reply #7 on:** October 07, 2014, 06:12:05 pm »

Also, lol @ the kidiots that dont know how to check if last name + DOB matches a SSN.

MrHigh · « **Reply #8 on:** October 18, 2014, 06:20:15 pm »

http://www.oregonlive.com/money/index.ssf/2014/10/data_breach_manager_resignation_point_to_more_employment_department_woes.html

MrHigh · « **Reply #9 on:** October 20, 2014, 05:42:53 pm »

Here's another one...

http://www.statesmanjournal.com/story/news/2014/10/13/employment-records-hacked/17230193/

Fun times.

News:

Author Topic: Security flaw in gov site that allows SSN to be harvested (Read 990 times)

MrHigh

Security flaw in gov site that allows SSN to be harvested

MrHigh

Re: Security flaw in gov site that allows SSN to be harvested

degenerate matter

Re: Security flaw in gov site that allows SSN to be harvested

iam

Re: Security flaw in gov site that allows SSN to be harvested

Tokolosh

Re: Security flaw in gov site that allows SSN to be harvested

komokazi

Re: Security flaw in gov site that allows SSN to be harvested

MrHigh

Re: Security flaw in gov site that allows SSN to be harvested

MrHigh

Re: Security flaw in gov site that allows SSN to be harvested

MrHigh

Re: Security flaw in gov site that allows SSN to be harvested

MrHigh

Re: Security flaw in gov site that allows SSN to be harvested